lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <E19zjyA-0007pl-00@mrelayng.kundenserver.de>
From: ml at intract.org (Michael Linke)
Subject: AW: AMDPatchB & InstallStub

This infected PC is only in use to administrate some server over here using
VPN lines. Here in our Network there are no additional copies of this
program. 

But this PC has access to a corporate network via VPN and in this network I
saw this file again. It crashed in the moment I logged on via Windows
Terminal Service. But I was not able to find the program on this machine
after that. 

So it seams as it came over VPN line to our machine here.

It uses 2-4 MB of RAM, 76 Handles and 2-3 Threads.
It was configured on our machine for load on booting using registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtek 8139 fix"="amdpatchB.exe"

Regards,
Michael

_____________________

-----Urspr?ngliche Nachricht-----
Von: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] Im Auftrag von Peter Kruse
Gesendet: Mittwoch, 17. September 2003 21:52
An: full-disclosure@...ts.netsys.com
Betreff: SV: [Full-Disclosure] AMDPatchB & InstallStub

Hi,

Some kind of spyware/adware installed by the user??
Maybe a legit application??

Check: http://63.246.134.50/index.php

Would be nice with a sample, thy.

Kind regards // Med venlig hilsen

Peter Kruse
Securityconsultant / Virusanalyst
CSIS / Kruse Security ApS
http://www.krusesecurity.dk - www.csis.dk

> -----Oprindelig meddelelse-----
> Fra: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] P? vegne af 
> Michael Linke
> Sendt: 17. september 2003 21:06
> Til: full-disclosure@...ts.netsys.com
> Emne: [Full-Disclosure] AMDPatchB & InstallStub
> 
> 
> At one of our Computers with Internet Access, I found a 
> strange program running. 
> amdpatchB.exe(38 KB)
> 
> This program is trying to get Internet Access while starting. 
> amdpatchB.exe is connecting 63.246.134.50:9900. There is a 
> text based protocol running on 63.246.134.50 at a service on 
> port 9900. See Telnet output: 
> ________________________________________________________
> telnet 63.246.134.50 9900
> Trying 63.246.134.50...
> Connected to 63.246.134.50.
> Escape character is '^]'.
> NOTICE AUTH :*** Looking up your hostname
> NOTICE AUTH :*** Checking Ident
> NOTICE AUTH :*** Found your hostname
> help
> :Drones2.newiso.org 451 *  :Register first. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ